Secure website, lazy website developers

Are South African online retailers exempt from consumer security issues? It seems like some of them just don’t care, most notably, Kalahari.com.

Last week Friday I noticed an item appear in my basket on the site, a soft cover technical book. I was quite surprised and equally quite concerned as I never added it to the basket. So immediately I generated a new complex password for my account and proceeded to change my account password.

I followed up by emailing the Customer Service Manager with my concerns, as we’ve been in contact recently about some failed orders – a long story worthy of a series of blog posts! I don’t hear back from her and later I attempt to sign-in to my account once more only to be greeted with a sign-in failure dialog. So I try my previous password and it doesn’t work either.

Ok no worries, I use the password reset feature. About 10-15 minutes later I get an email with a new 5 character random password. I find it quite odd that the system generates such simple passwords, but at least its random I reckon. So I follow the instructions in the email and attempt to sign-in and change it to another suitably long and complex password. Alas their site doesn’t allow me to sign-in.

Dismayed I file off an email as per their instructions to their Support department, seeing as their Customer Service Manager at this point can’t be bothered to answer her phone or reply to my emails from earlier that morning. I get no response so I call the Customer Care line. The senior agent I get put through to explains that it takes about 30 minutes AFTER the new password is sent for the password to be reflected on the profile. So I wait another hour or so and try again. No joy. I give up.

On Saturday around lunchtime I get an email back from the support department telling me to sign-in with the following password and notice that it is indeed my password, not a new one, but my password is there in the email in clear-text!

Appalled by this I email the Customer Service Manager and explain how its not cool for Kalahari to store passwords in clear-text or even using reversible encryption, to which I get the following befuddled response clearly showing that the management doesn’t understand technology or how to read emails properly:

The support desk sign into your profile via our internal system called KMS, that enables us to do this without seeing / using your password.

What she failed to understand is that their Support staff managed to extract my password as clear-text and email it to me.

So now for the non-technical of you out there, let me put this in simple terms. Kalahari states in their Terms & Conditions:

You allow Kalahari to take all reasonable steps to ensure the integrity and security of the Website and back-office applications.

However it doesn’t appear that they implement the most common website security namely securing passwords. A common and recommended practice is for the website to store a one-way/non-reversible hash of your password. This means that if a hacker gets hold of their database or possibly even a disgruntled employee, they have no way other than brute-force to figure out your password.

But surely that shouldn’t be a problem as we all follow best practices and secure every site with a different password. Yeah right, not many people could be bothered. After all how dangerous is it if your Kalahari account is hacked ? Well What if you Kalahari password is the same as your company email account password or your online banking password? The risks are present, just not always clear to all.

My lesson out of this post is as follows, ensure every site and/or service you use has a unique and complex password. Use phrases, include spaces, include punctuation. Worried you will forget them, encrypt them using a master password in a password manager like 1Password (it syncs over DropBox onto all your devices). Just don’t be caught off-guard because sites like Kalahari don’t take all reasonable measures to ensure your data is safe.